<html>
<head><meta charset="utf-8"><title>CVE handling as a service · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20handling.20as.20a.20service.html">CVE handling as a service</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="172491592"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20handling%20as%20a%20service/near/172491592" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Florian Gilcher <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20handling.20as.20a.20service.html#172491592">(Aug 05 2019 at 09:45)</a>:</h4>
<p>Is there a service that signs me up for all important things needed for running a project with secure practices (CVE registrations, etc.) _and_ gives me a safe channel to get in touch in one go?</p>



<a name="172491611"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20handling%20as%20a%20service/near/172491611" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Florian Gilcher <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20handling.20as.20a.20service.html#172491611">(Aug 05 2019 at 09:45)</a>:</h4>
<p>e.g. similar to such journalists mailbox services that were all the rage 5 years ago</p>



<a name="173032881"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20handling%20as%20a%20service/near/173032881" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20handling.20as.20a.20service.html#173032881">(Aug 12 2019 at 15:23)</a>:</h4>
<p>not that I'm aware of <span class="user-mention" data-user-id="215333">@Florian Gilcher</span>, in fact, you might notice the RustSec FAQ specifically advises you handle that all in advance and disclose before filing an advisory so we don't have to deal with being part of an embargoed disclosure process because it's such a hassle <span aria-label="wink" class="emoji emoji-1f609" role="img" title="wink">:wink:</span></p>



<a name="173033009"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20handling%20as%20a%20service/near/173033009" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Florian Gilcher <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20handling.20as.20a.20service.html#173033009">(Aug 12 2019 at 15:24)</a>:</h4>
<p>I was less thinking about RustSec here, but it just seems that someone providing easy mailboxes for such stuff sounds like a reasonable thing (unless you are super paranoid about your supplier).</p>



<a name="173033017"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20handling%20as%20a%20service/near/173033017" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20handling.20as.20a.20service.html#173033017">(Aug 12 2019 at 15:24)</a>:</h4>
<p>honestly I dislike pretty much everything about CVE, and even though I am (or was, a decade ago) friends with the person behind DWF and <a href="http://iwantacve.org" target="_blank" title="http://iwantacve.org">iwantacve.org</a>, all attempts to improve the process don't seem to be working</p>



<a name="173033099"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20handling%20as%20a%20service/near/173033099" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20handling.20as.20a.20service.html#173033099">(Aug 12 2019 at 15:25)</a>:</h4>
<p>the closest thing I can think of are GitHub's embargoed security issues</p>



<a name="173033166"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20handling%20as%20a%20service/near/173033166" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20handling.20as.20a.20service.html#173033166">(Aug 12 2019 at 15:26)</a>:</h4>
<p>which I would certainly prefer to GPG-encrypted email for initial vuln disclosures, heh</p>



<a name="173034579"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20handling%20as%20a%20service/near/173034579" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Florian Gilcher <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20handling.20as.20a.20service.html#173034579">(Aug 12 2019 at 15:41)</a>:</h4>
<p>Yeah, but I can only open them as a maintainer, I cannot have people open them.</p>



<a name="173035771"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20handling%20as%20a%20service/near/173035771" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20handling.20as.20a.20service.html#173035771">(Aug 12 2019 at 15:57)</a>:</h4>
<p>that is unfortunate</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>